What to Know About the Recent IAB changes to CCPA compliance

28 May 2021

Recently the IAB (Interactive Advertising Bureau) has released amendments to the CCPA agreement for compliance.

What to know about the recent IAB changes to CCPA compliance

What to know about the recent IAB changes to CCPA compliance

Targeted towards all Limited Service Provider Agreement (LSPA) signatories to update their registration information. Regarding the California Consumer Privacy Act (CCPA) which may have required some companies to sign the IAB Privacy Limited Service Provider Agreement (LSPA) to complete the compliance process. There has now been updates to this agreement just after a year in the market. This comes as the IAB have reviewed the regulations and market practices since the agreement was first released, giving them time to consider what needs to be updated.

One of the biggest changes being publisher obligations and the definition of “re-sale”. Current companies who signed the agreement will need to provide new information as part of their registration, which companies have had until May 7th 2021.

The updates to the LSPA are effective from May 7th 2021 and companies are expected to comply and adapt to these changes.

LSPA Revisions

Let’s go over the notable changes since the first release of the CCPA IAB agreement:

Definition of “Re-Sale”

Before the definition was a little ambiguous, the new revision includes an updated version. It states in a more clear way that “a Sale by a Downstream Participant after a Sale to such Downstream Participant by the Publisher Digital Property”, giving more emphasis on what is classed as a “Re-Sale”.

Updated Notice Obligations for Publishers

New changes now include different publisher notice obligations for when a consumer clicks a link.

  • A clear disclosure that Downstream Participants may Re-Sell the Consumer’s Personal Information that was Sold to them by the Publisher.

  • A clear disclosure that the Consumer has the right to Opt Out of the Re-Sale of the Consumer’s Personal Information. The publisher must now make this process more easier and accessible to the consumer, giving them a list of downstream participants where they can out-out from. This addition is what fulfils the provision of “explicit notice” under the CCPA for downstream participants.

  • Removal of the obligation to the “90-day look-back period” regarding Sales”. This was in the initial version of the LSPA but never adopted in the Final Text of Regulations, so it is now removed to make things more clear. Removal of various other obligations which are not relevant for notice required under the CCPA or its Regulations. Staying more aligned with the CCPA law.

  • New restrictions on re-selling personal information, the new agreement now states that for Non-Opt Out Transactions where the LSPA Transaction Signal is set to “Yes,” a Downstream Participant may Re-Sell Personal Information only if the Downstream Participant also provides a “Do Not Sell My Personal Information” link in accordance with the CCPA.

  • Changes to data deletion requests, as part of the new agreement, companies must now adds a representation and warranty that Signatories will implement the IAB Tech Lab’s specification for Data Deletion Requests.

  • No more requirements for IPDPs, now the definition of In Process Data Providers and all other references to this concept have been deleted.

LSPA Registration

The IAB organisation is providing a new streamlined web interface for this newly required registration. This interface also includes management features for companies who have signed the LSPA.

For current companies who have already registered, their data has been migrated to this new system. They should have received an email regarding this action welcoming them to the new system. From this interface, companies can manage their registration and provide links with evidence to their Opt-Out notice to support the amended notice obligations mentioned above.

Updated US Privacy String

Another important thing to note is there has also been an update to the US Privacy String.

  • Version 1-1.1 Stated (in summary): Publishers are required to send a Yes/No signal indicating if a publisher had provided explicit notice.

  • Version 1.2: Now states (in summary): The Yes/No signal for CCPA will now indicate if a Publisher has provided notice pursuant with providing the opportunity for a Consumer to Opt-Out of the Sale of their Personal Information.

You can find more about how UniConsent for CCPA Compliance works.

About UniConsent

UniConsent is a part of Transfon’s privacy-first User Experience Platform serves tens of millions of users per day to provide a seamless privacy experience for both users and publishers in the age of post GDPR. Contact us to know more: [email protected]

Get started to make your website compliant for EU GDPR, US CCPA.

Sign up

Consent Management Platform Resources

Get started to make your website compliant for EU GDPR, US CCPA.

Sign up